Installation in Kubernetes Cluster

If you want to deploy Nevis onto a Cloud infrastructure, we recommend a Kubernetes-based installation. This installation is based on the Docker containerization and Kubernetes orchestration technologies.

For a general overview of the Nevis-on-Kubernetes deployment solution, check Kubernetes Deployment (Cloud).

• In the chapter Kubernetes Deployment Troubleshooting you can find information about how to debug the configuration.
• In the chapter Kubernetes Upgrade you can find information about how to upgrade your existing installation.

In this installation tutorial, you will set up nevisAdmin 4 on an existing Kubernetes cluster.

Pay attention to the following points:

• For general guidance, refer to System Requirements.
• For the database, you should use a MariaDB server.
• In some Kubernetes installations, special permission settings or entitlements are required, for example, for the ingress-nginx component.
• Any Kubernetes-compatible product or cloud provider should work.
  • For more details about the supported versions of the above providers, see the Nevis Product Lifetime and Platform Support Matrix.

Prerequisites

• Have an existing Kubernetes cluster and have enough permissions to create resource groups and resources, which includes RBAC permissions.
  • The installation of the crds, ingress-nginx and the cert-manager component needs cluster-wide permissions, for the rest, namespace scoped permissions are enough.
• Have a MariaDB database with the correct configuration, see component specific documentation, generally the following is needed:

autocommit=0
transaction-isolation = READ-COMMITTED
log_bin_trust_function_creators = 1
lower_case_table_names = 1
character-set-server = utf8mb4

• The supported Kubernetes versions for this guide are listed in the [Kubernetes versions support policy].(/nevislifetimesupport/Support-Policies-for-Third-Party-Software/kubernetes-support-policy-for-nevis).
• A Linux environment with the following software pre-installed:
  • kubectl: Kubernetes command line interface. The same minor version is recommended as the used Kubernetes version.
  • docker: Docker client.
  • helm: Helm CLI

This guide requires basic knowledge of Linux and Kubernetes. If you are new to these topics, we recommend that you see tutorials or courses available online. If you have limited time, focus on Kubernetes tutorials, for example: Viewing Pods and Nodes.

Prepare Git Deployment Repository

In this tutorial, we use GitHub as the Git system. However, it is possible to use Bitbucket, Gitea, GitLab and more instead. The same options should be available in every case.

To configure the Git connection for nevisOperator, perform the following steps:

1. Prepare GitHub.

   • Create a GitHub account.
   • Create an empty Git repository called deploy.
   • Set the GitHub repository to private. See https://help.github.com/en/articles/setting-repository-visibility#making-a-repository-private for detailed instructions

2. Create the SSH key material through the following commands:

   #generate key pair
   ssh-keygen -t ecdsa -C "kubernetes" -m PEM -P "" -f key
   
   # create know_hosts file, replace the github domain if other Git system is used
   ssh-keyscan github.com > known_hosts
   
   # make sure ssh keys were generated
   cat key
   cat key.pub

   The created key is used by both nevisOperator and nevisAdmin 4 to connect to GitHub.

3. Add the key key.pub to your GitHub account, or to the repository itself as a deployment key.

• See http://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account.
• See the Deploy keys section in http://developer.github.com/v3/guides/managing-deploy-keys

Set environment variables

Set the following environment variables:

# Initial password of nevisAdmin 4
export NEVISADMIN_PASSWORD=
# The container registry of the Kubernetes cluster, for example: nevis.azurecr.io
export CONTAINER_REGISTRY=
# The namespace where the helm chart will be installed
export RELEASE_NAMESPACE=
# The name of the Helm release, for example nevisadmin4-prod
export RELEASE_NAME=
# Database host of the MariaDB database
export DATABASE_HOST=
# The root database user for the mariadb database, for example: root. If you are using an Azure database, do not include the host in the username.
export DB_ROOT_USER=
# The root database password for the mariadb database.
export DB_ROOT_PASSWORD=
# Password of the nevisAdmin 4 schema user which will be created during the installation
export DB_NEVISADMIN_SCHEMA_USER_PASSWORD=
# Password of the nevisAdmin 4 app user which will be created during the installation
export DB_NEVISADMIN_APP_USER_PASSWORD=
# URL of the Git repository to be used by nevisAdmin4.
export GIT_REPOSITORY_URL=
# Domain where nevisAdmin4 will be available. Make sure to point the domain to the IP of the nginx LoadBalancer after the installation is done. For example: test.westeurope.cloudapp.azure.com
export DOMAIN=
# For the temporary credentials, click the download button for one of the Docker images at https://portal.nevis.net/portal/secure/releases/rolling
export CLOUDSMITH_PASSWORD=

Upload Nevis Docker Images

Use the provided script to copy the Docker images from the Nevis Portal registry to the container registry of the Kubernetes cluster. Select one of the docker images in the portal under http://portal.nevis.net/portal/secure/releases/rolling to acquire a temporary username and password for the Nevis registry.

#!/bin/bash
# get temporary username/token on the portal
REGISTRY=docker.cloudsmith.io/nevissecurity/rolling

echo "Login to registry $REGISTRY"
docker login $REGISTRY -u nevissecurity/rolling -p $CLOUDSMITH_PASSWORD
echo "Login to registry $CONTAINER_REGISTRY"
if [[ $CONTAINER_REGISTRY == *.azurecr.io ]] ; then
    az acr login --name ${CONTAINER_REGISTRY%".azurecr.io"}
else
    docker login $CONTAINER_REGISTRY
fi

declare -a images=("nevisproxy:8.2411.0"
                   "nevisproxy-dbschema:8.2411.0"
                   "nevislogrend:8.2411.0"
                   "nevisfido:8.2411.0"
                   "nevisfido-dbschema:8.2411.0"
                   "nevisauth:8.2411.0"
                   "nevisauth-dbschema:8.2411.0"
                   "nevisidm:8.2411.0"
                   "nevisidm-dbschema:8.2411.0"
                   "nevismeta:8.2411.0"
                   "nevismeta-dbschema:8.2411.0"
                   "nevisadmin4:8.2411.0"
                   "nevisadmin4-dbschema:8.2411.0"
                   "nevisoperator:8.2411.0"
                   "nevisadapt:8.2411.0"
                   "nevisdetect-admin:8.2411.0"
                   "nevisdetect-core:8.2411.0"
                   "nevisdetect-entrypoint:8.2411.0"
                   "nevisdetect-persistency:8.2411.0"
                   "nevisadapt-dbschema:8.2411.0"
                   "nevisdetect-persistency-dbschema:8.2411.0"
                   "nevis-git-init:1.3.0"
                   "nevisdp:8.2405.0"
                   "nevis-ubi-tools:1.4.0"
                   "nevis-base-flyway:8.2411.0")
for i in "${images[@]}"; do
  docker pull $REGISTRY/$i
  NAME=$(echo "$i" | cut -d '/' -f 2 | cut -d ':' -f 1 )
  docker tag $REGISTRY/$i $CONTAINER_REGISTRY/nevis/$i
  docker push $CONTAINER_REGISTRY/nevis/$i
done

Save it as publish_images.sh, then run:

chmod +x publish_images.sh
./publish_images.sh

Deploy cert-manager

If the Kubernetes cluster does not have cert-manager already installed, then follow the official guide: https://cert-manager.io/docs/installation/helm/

Install CRD chart

Install the helm chart that contains the CustomResourceDefinitions used by nevisAdmin 4.

helm install nevisadmin4-crd nevisadmin4-crd --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/

caution

Uninstalling this chart deletes all the existing CustomResources, which results in the deletion of all the deployments made with nevisAdmin 4

Install nevisAdmin 4 chart

Prepare secrets for installation

Prepare the required secrets to be used by the helm chart. This is done to avoid plain secret values in the values.yaml.

Create namespace

kubectl create namespace $RELEASE_NAMESPACE

Create credential secrets

These secrets are used to avoid having plain values in the values.yaml.

# nevisAdmin 4 admin user credential
kubectl create secret generic nevis-nevisadmin4-admin-credential \
--from-literal=password=$NEVISADMIN_PASSWORD \
-n $RELEASE_NAMESPACE

# git credential
kubectl create secret generic nevis-git-credential \
--from-file=key=key \
--from-file=key.pub=key.pub \
--from-file=known_hosts=known_hosts \
--from-literal=passphrase="" \
--from-literal=username="" \
--from-literal=password="" \
-n $RELEASE_NAMESPACE

# database credential
kubectl create secret generic nevis-database-credential \
--from-literal=username=$DB_ROOT_USER \
--from-literal=password=$DB_ROOT_PASSWORD \
-n $RELEASE_NAMESPACE

# nevisAdmin 4 database credential
kubectl create secret generic nevis-nevisadmin4-database-credential \
--from-literal=applicationUser=admin4appuser \
--from-literal=applicationUserPassword=$DB_NEVISADMIN_APP_USER_PASSWORD \
--from-literal=schemaUser=admin4schemauser \
--from-literal=schemaUserPassword=$DB_NEVISADMIN_SCHEMA_USER_PASSWORD \
-n $RELEASE_NAMESPACE

The nevis-database-credential secret can be used for the Root Credential and Root Credential Namespace fields in the database patterns inside nevisAdmin 4.

For more configuration options see the values table below.

Install

Kubernetes

helm install $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE \
    --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
    --set image.repository=$CONTAINER_REGISTRY \
    --set git.repositoryUrl=$GIT_REPOSITORY_URL \
    --set git.credentialSecret=nevis-git-credential \
    --set database.host=$DATABASE_HOST \
    --set database.root.preparedCredentialSecret=nevis-database-credential \
    --set nevisAdmin4.domain=$DOMAIN \
    --set nevisAdmin4.credentialSecret=nevis-nevisadmin4-admin-credential \
    --set nevisAdmin4.database.credentialSecret=nevis-nevisadmin4-database-credential \
    --set nginx.nameOverride=$RELEASE_NAMESPACE-nginx

OpenShift

As ingress-nginx must run with user 101 and needs capabilities such as NET_BIND_SERVICE, it's required that the used SecurityContext is changed on OpenShift. Additionally, it's not allowed to set the fsGroup of the nevisAdmin 4 deployment.

# Username for the registry
REGISTRY_USERNAME=
# Password for the registry
REGISTRY_PASSWORD=

# Prepare registry secret
oc create secret docker-registry registry-secret --docker-server="$CONTAINER_REGISTRY" --docker-username="$REGISTRY_USERNAME" --docker-password="$REGISTRY_PASSWORD" -n "$RELEASE_NAMESPACE"
# Prepare nginx service account
oc create serviceaccount nevisadmin4-nginx -n "$RELEASE_NAMESPACE"
oc adm policy add-scc-to-user privileged -z nevisadmin4-nginx -n "$RELEASE_NAMESPACE"

helm install $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE \
    --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
    --set image.repository=$CONTAINER_REGISTRY \
    --set image.imagePullSecretName=registry-secret \
    --set git.repositoryUrl=$GIT_REPOSITORY_URL \
    --set git.credentialSecret=nevis-git-credential \
    --set database.host=$DATABASE_HOST \
    --set database.root.preparedCredentialSecret=nevis-database-credential \
    --set nevisAdmin4.domain=$DOMAIN \
    --set nevisAdmin4.podSecurityContext.fsGroup=null \
    --set nevisAdmin4.credentialSecret=nevis-nevisadmin4-admin-credential \
    --set nevisAdmin4.database.credentialSecret=nevis-nevisadmin4-database-credential \
    --set nginx.serviceAccount.create=false \
    --set nginx.serviceAccount.name=nevisadmin4-nginx \
    --set nginx.nameOverride=$RELEASE_NAMESPACE-$RELEASE_NAME

Upgrade

To upgrade the installation, copy over the new images from Upload Nevis Docker Images then run:

helm get values $RELEASE_NAME -n $RELEASE_NAMESPACE > values.yaml \
&& helm upgrade $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE -f values.yaml \
--repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
--set <your-new-values> \
--version <version-to-upgrade>

If the version is not provided, it upgrades to the latest one.

Using existing ingress-nginx installation

Set the nginx.enabled to false, and set the nginx.controller.ingressClassResource.name and nginx.controller.ingressClass values to the ingress class of the existing ingress-nginx controller.

On some installations, the snippet feature is disabled by default, as this is required for the side-by-side deployment to function. Make sure that you have the following in the ConfigMap used by ingress-nginx:

allow-snippet-annotations: "true"
annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,',\

It's recommended to use a blocklist to prevent misuse.

Configure an example Project and Inventory in the GUI

The final step is to import and deploy an example project using nevisAdmin 4:

1. In the nevisAdmin 4 Welcome or Project Settings screen, import the following project: project_CLOUD-PROJECT_20200519T102912Z.zip Adapt the project:

   • Set the latest libraries in the Administration tab under Standard libraries.
   • Open the just imported Cloud-Project project in the Configuration tab. Note that the patterns nevisAuth/nevisProxy Remote Session Store and nevisIDM Database are marked with a red bullet point - this is because their database hostname is incorrect. Correct the database hostname of these patterns.

2. In the Administration > Inventory Settings screen, import the following inventory: inventory_CLOUD-INVENTORY_20200519T102841Z.zip Adapt the inventory:

   • Enter the URL of your GitHub repository.

   • Enter the component namespace where the Nevis components will be deployed. This is the same as the RELEASE_NAMESPACE unless additionalComponentNamespaces were used.

   • Enter the DOMAIN for the proxy-host-name.

   • Enter the API URL of your Kubernetes cluster using HTTPS and port 443. As long as nevisadmin4 is inside the cluster https://kubernetes.default.svc:443 can be used.

   • Enter the token of your Kubernetes cluster. Get the token by executing the following command:

     kubectl describe secret -n $RELEASE_NAMESPACE nevisadmin4-sa-secret| grep token

3. Click the Deploy button and go through the steps of the Deployment Wizard. If there is a warning, you can just accept it and continue.

4. Go to the following URLs to test:

URLs to test

# nevisIDM admin reachable here, default credentials: bootstrap/generated
google-chrome https://$DOMAIN/nevisidm/admin

# Example standalone nevisAuth flow
google-chrome https://$DOMAIN/

Values

additionalComponentNamespaces

Listing additional ones here, will make it so that nevisAdmin4 can deploy to these namespaces. The namespace itself has to exist already.

Type: list

Default:

[]

bootstrap

Supports importing initial projects and inventories into nevisAdmin 4 and creating a repository in gitea.

Type: object

Default:

annotations: {}
gitea:
    enabled: false
image:
    version: 1.3.0
labels: {}
nevisAdmin4:
    enabled: false
podAnnotations: {}
podLabels: {}

bootstrap.annotations

Annotations to put onto the Job.

Type: object

Default:

{}

bootstrap.labels

Labels to put onto the bootstrap job.

Type: object

Default:

{}

bootstrap.podAnnotations

Annotations to put onto the pods.

Type: object

Default:

{}

bootstrap.podLabels

Labels to put onto the bootstrap job pod.

Type: object

Default:

{}

certManager.createCAIssuer

Create a CA Issuer to the main release namespace, it also creates a self-signed issuer to prepare the root CA

Type: bool

Default: true

certManager.createLetsEncryptIssuer

Creates a Let's encrypt issuer to every component namespace

Type: bool

Default: true

database.host

Database host, example: mariadb29a7439e.mariadb.database.azure.com

Type: string

Default: not set

database.port

Database port

Type: string

Default: "3306"

database.root.credentialSecret

DEPRECATED: Use preparedCredentialSecret instead. Secret containing the username and password for the root user. Must have the "username" and "password" key.

Type: string

Default: "helm-database-credential"

database.root.password

Root password in plain value. It's recommended to prepare a secret instead.

Type: string

Default: not set

database.root.preparedCredentialSecret

When using this value, root-creds secret will only be created in the namespace where nevisAdmin4 resides. Adjust the Root Credential Namespace in the Database patterns of nevisAdmin 4 before the migration to this value.

Type: string

Default: not set

database.root.username

Root username in plain value. It's recommended to prepare a secret instead.

Type: string

Default: not set

database.type

Type of the database, supported values: mariadb, postgresql

Type: string

Default: "mariadb"

git.credentialSecret

Secret containing the git credentials, to avoid having plain values in the values file. Must have "key", "key.pub", "known_hosts", "passphrase", "username", "password" secret keys. In case only http or ssh is used, the corresponding keys can be empty, but still has to exist in the secret.

Type: string

Default: not set

git.httpCredentialSecret

DEPRECATED: Use credentialSecret instead. Secret containing the username and password for http authentication. Must have the "username" and "password" key.

Type: string

Default: not set

git.knownHosts64

Base64 known_hosts.

Type: string

Default: not set

git.passphrase

Private key passphrase

Type: string

Default: not set

git.password

Password used for http authentication. It's recommended to prepare a secret instead.

Type: string

Default: not set

git.privateKey64

Base64 git private key.

Type: string

Default: not set

git.publicKey64

Base64 git public key.

Type: string

Default: not set

git.repositoryUrl

Git repository, can be either ssh or http

Type: string

Default: not set

git.repositoryUrlMap

Makes it possible to use a different repository for each component namespace

Type: object

Default:

{}

git.sshCredentialSecret

DEPRECATED: Use credentialSecret instead. Secret containing the git credentials, to avoid having plain values in the values file. Must have "key", "key.pub", "known_hosts" key.

Type: string

Default: "helm-git-ssh"

git.username

Username used for http authentication. It's recommended to prepare a secret instead.

Type: string

Default: not set

gitea.enabled

Type: bool

Default: false

gitea.fullnameOverride

Name of the gitea deployment

Type: string

Default: "gitea"

gitea.gitea.admin.email

Type: string

Default: "[email protected]"

gitea.gitea.admin.password

Gitea admin password

Type: string

Default: not set

gitea.gitea.admin.username

Gitea admin username

Type: string

Default: not set

gitea.gitea.config.cache.ADAPTER

Type: string

Default: "memory"

gitea.gitea.config.cache.ENABLED

Type: bool

Default: true

gitea.gitea.config.cache.HOST

Type: string

Default: "127.0.0.1:9090"

gitea.gitea.config.cache.INTERVAL

Type: int

Default: 60

gitea.gitea.config.database.DB_TYPE

Type: string

Default: "mysql"

gitea.gitea.config.database.HOST

Type: string

Default: "mariadb:3306"

gitea.gitea.config.database.NAME

Type: string

Default: "gitea"

gitea.gitea.config.database.PASSWD

Database user password

Type: string

Default: not set

gitea.gitea.config.database.SCHEMA

Type: string

Default: "gitea"

gitea.gitea.config.database.USER

Database user for gitea

Type: string

Default: not set

gitea.gitea.config.server.ROOT_URL

Root url of gitea

Type: string

Default: not set

gitea.image.rootless

Use rootless image

Type: bool

Default: true

gitea.ingress.annotations."cert-manager.io/cluster-issuer"

Type: string

Default: "letsencrypt-prod"

gitea.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target"

Type: string

Default: "/$2"

gitea.ingress.apiVersion

Type: string

Default: "networking.k8s.io/v1"

gitea.ingress.enabled

Type: bool

Default: true

gitea.ingress.hosts[0].host

Type: string

Default: not set

gitea.ingress.hosts[0].paths[0].path

Type: string

Default: "/gitea(/|$)(.*)"

gitea.ingress.hosts[0].paths[0].pathType

Type: string

Default: "ImplementationSpecific"

gitea.ingress.tls[0].hosts[0]

Type: string

Default: not set

gitea.ingress.tls[0].secretName

Type: string

Default: "gitea-tls"

gitea.job.annotations

Annotations to put onto the Job.

Type: object

Default:

{}

gitea.job.labels

Type: object

Default:

{}

gitea.job.podAnnotations

Annotations to put onto the pods.

Type: object

Default:

{}

gitea.job.podLabels

Labels to put onto the bootstrap job pod.

Type: object

Default:

{}

gitea.memcached.enabled

Type: bool

Default: false

gitea.mysql.enabled

Type: bool

Default: false

gitea.postgresql.enabled

Type: bool

Default: false

gitea.statefulset.env[0].name

Type: string

Default: "HOME"

gitea.statefulset.env[0].value

Type: string

Default: "/data/git"

image.imagePrefix

Image prefix, nevis images will be pulled from [repository]/[imagePrefix]

Type: string

Default: "nevis"

image.imagePullSecretName

Name of the secret containing the credentials, only necessary if a private repository is used.

Type: string

Default: not set

image.repository

Repository where the images will be pulled from

Type: string

Default: not set

maria.auth.password

Name of the additional user created for mariadb

Type: string

Default: "nevis"

maria.auth.rootPassword

Root password of mariadb

Type: string

Default: not set

maria.auth.username

Password of the additional user

Type: string

Default: not set

maria.enabled

Type: bool

Default: false

maria.fullnameOverride

Name of the mariadb deployment

Type: string

Default: "mariadb"

maria.primary.configuration

Type: string

Default:

[mysqld]
skip-name-resolve
explicit_defaults_for_timestamp
basedir=/opt/bitnami/mariadb
plugin_dir=/opt/bitnami/mariadb/plugin
port=3306
socket=/opt/bitnami/mariadb/tmp/mysql.sock
tmpdir=/opt/bitnami/mariadb/tmp
max_allowed_packet=16M
bind-address=*
pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid
log-error=/opt/bitnami/mariadb/logs/mysqld.log
character-set-server=utf8mb4
slow_query_log=0
slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log
long_query_time=10.0
max_connections=1200
connect_timeout=5
wait_timeout=600
transaction-isolation=READ-COMMITTED
lower_case_table_names=1
log_bin_trust_function_creators=1

[client]
port=3306
socket=/opt/bitnami/mariadb/tmp/mysql.sock
default-character-set=UTF8
plugin_dir=/opt/bitnami/mariadb/plugin

[manager]
port=3306
socket=/opt/bitnami/mariadb/tmp/mysql.sock
pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid

nevisAdmin4.affinity

Type: object

Default:

{}

nevisAdmin4.annotations

Additional annotations to be put on the nevisAdmin4 StatefulSet.

Type: object

Default:

{}

nevisAdmin4.certManagerIssuer

Specify the cert-manager issuer for the nevisAdmin4 ingress

Type: string

Default: "letsencrypt-prod"

nevisAdmin4.config

low level configuration options

Type: object

Default:

env: ""
logback: ""
nevisadmin4: {}

nevisAdmin4.config.env

Content of env.conf configuration file as multiline string

Type: string

Default: not set

nevisAdmin4.config.logback

Content of logback.xml configuration file as multiline string

Type: string

Default: not set

nevisAdmin4.config.nevisadmin4

Content of nevisadmin4.yml configuration file

Type: object

Default:

{}

nevisAdmin4.configOverrideEnabled

The env.conf, nevisadmin4.yml and logback.xml can be overwritten by placing tha file with the same name besides the values.yaml

Type: bool

Default: false

nevisAdmin4.containerSecurityContext

Security context for the nevisAdmin4 pod containers.

Type: object

Default:

allowPrivilegeEscalation: false
capabilities:
    drop:
        - ALL

nevisAdmin4.cors

cors attributes

Type: object

Default:

{}

nevisAdmin4.credentialSecret

Secret containing the initial password of nevisAdmin4 to avoid plain values in the values file. Must have the "password" key. If credentialSecret and password is not given it will be autogenerated. Must be prepared id advance.

Type: string

Default: not set

nevisAdmin4.database.applicationUser

Database user by nevisAdmin4

Type: string

Default: "admin4appuser"

nevisAdmin4.database.applicationUserPassword

Database app user password.

Type: string

Default: not set

nevisAdmin4.database.credentialSecret

Secret containing schema and application user credentials to avoid plain values in the values file. Must have the "applicationUser", "applicationUserPassword", "schemaUser", "schemaUserPassword" key. Must be prepared is advance.

Type: string

Default: not set

nevisAdmin4.database.enableSSL

Disable ssl if it's not supported by the database

Type: bool

Default: true

nevisAdmin4.database.job

Values for the dbschema job

Type: object

Default:

annotations: {}
cleanupEnabled: true
labels: {}
podAnnotations: {}
podLabels: {}
ttlSecondsAfterFinished: 1200

nevisAdmin4.database.job.annotations

Annotations to put onto the migration job.

Type: object

Default:

{}

nevisAdmin4.database.job.cleanupEnabled

dbschema job will be deleted automatically

Type: bool

Default: true

nevisAdmin4.database.job.labels

Labels to put onto the migration job.

Type: object

Default:

{}

nevisAdmin4.database.job.podAnnotations

Annotations to put onto the migration job pod.

Type: object

Default:

{}

nevisAdmin4.database.job.podLabels

Labels to put onto the migration job pod.

Type: object

Default:

{}

nevisAdmin4.database.name

Name of the database

Type: string

Default: "nevisadmin4"

nevisAdmin4.database.schemaUser

Database user used for the migration of the database for nevisAdmin4.

Type: string

Default: "admin4schemauser"

nevisAdmin4.database.schemaUserPassword

Database schema user password.

Type: string

Default: not set

nevisAdmin4.domain

Domain where nevisAdmin4 will be reachable

Type: string

Default: not set

nevisAdmin4.enabled

Type: bool

Default: true

nevisAdmin4.extraEnvs

Additional environment variables that will be added to the nevisAdmin4 container

Type: list

Default:

[]

nevisAdmin4.image.migrationTag

Overrides the dbschema image tag whose default is the chart appVersion.

Type: string

Default: not set

nevisAdmin4.image.tag

Overrides the image tag whose default is the chart appVersion.

Type: string

Default: not set

nevisAdmin4.ingress.annotations

Annotations to be put on the nevisAdmin4 Ingress.

Type: object

Default:

nginx.ingress.kubernetes.io/proxy-body-size: 100m

nevisAdmin4.ingress.enabled

Type: bool

Default: true

nevisAdmin4.ingressIssuerAnnotation

cert-manager annotation to put on the ingress

Type: string

Default: "cert-manager.io/issuer"

nevisAdmin4.labels

Additional labels to be put on the nevisAdmin4 StatefulSet.

Type: object

Default:

{}

nevisAdmin4.ldap

ldap attributes for the nevisadmin4.yml

Type: object

Default:

context: {}
enabled: false
search: {}
truststore64: ""
truststorePassphrase: ""
user: {}

nevisAdmin4.ldap.context

ldap context block

Type: object

Default:

{}

nevisAdmin4.ldap.enabled

Enable ldap

Type: bool

Default: false

nevisAdmin4.ldap.search

ldap search block

Type: object

Default:

{}

nevisAdmin4.ldap.truststore64

pkcs12 truststore in base64 format

Type: string

Default: not set

nevisAdmin4.ldap.truststorePassphrase

truststore passphrase

Type: string

Default: not set

nevisAdmin4.ldap.user

ldap user block

Type: object

Default:

{}

nevisAdmin4.livenessProbe

Specify a custom livenessProbe.

Type: object

Default:

{}

nevisAdmin4.managementPort

Management port, this is where the health checks will be available

Type: int

Default: 9889

nevisAdmin4.migrationResources.limits.cpu

Type: string

Default: "1000m"

nevisAdmin4.migrationResources.limits.memory

Type: string

Default: "1000Mi"

nevisAdmin4.migrationResources.requests.cpu

Type: string

Default: "20m"

nevisAdmin4.migrationResources.requests.memory

Type: string

Default: "200Mi"

nevisAdmin4.nodeSelector

Type: object

Default:

{}

nevisAdmin4.otel.enabled

Enable OpenTelemetry forwarding

Type: bool

Default: false

nevisAdmin4.otel.protocol

OpenTelemetry protocol

Type: string

Default: "http/protobuf"

nevisAdmin4.otel.url

OpenTelemetry url

Type: string

Default: not set

nevisAdmin4.password

Initial password of nevisAdmin4. If credentialSecret and password is not given it will be autogenerated.

Type: string

Default: not set

nevisAdmin4.podAnnotations

Additional annotations to be put on the nevisAdmin4 pods.

Type: object

Default:

{}

nevisAdmin4.podLabels

Additional labels to be put on the nevisAdmin4 pods.

Type: object

Default:

{}

nevisAdmin4.podSecurityContext

Security context for the nevisAdmin4 pods.

Type: object

Default:

fsGroup: 2000
runAsNonRoot: true

nevisAdmin4.port

Default port of nevisAdmin4

Type: int

Default: 9080

nevisAdmin4.productAnalytics.enabled

Enable product analytics

Type: bool

Default: false

nevisAdmin4.productAnalytics.prometheus.credentialSecret

Credential secret for Prometheus in case basic authentication is enabled. Has to have "password" and "username" keys.

Type: string

Default: not set

nevisAdmin4.productAnalytics.prometheus.password

Password for Prometheus in case basic authentication is enabled

Type: string

Default: not set

nevisAdmin4.productAnalytics.prometheus.url

base url of the Prometheus instance

Type: string

Default: not set

nevisAdmin4.productAnalytics.prometheus.username

Username for Prometheus in case basic authentication is enabled

Type: string

Default: not set

nevisAdmin4.readinessProbe

Specify a custom readinessProbe.

Type: object

Default:

{}

nevisAdmin4.resources.limits.cpu

Type: string

Default: "4000m"

nevisAdmin4.resources.limits.memory

Type: string

Default: "4500Mi"

nevisAdmin4.resources.requests.cpu

Type: string

Default: "1000m"

nevisAdmin4.resources.requests.memory

Type: string

Default: "1500Mi"

nevisAdmin4.saml.attribute

SAML attributes, by default it is set up for azure AD

Type: object

Default:

email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
first-name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
group-keys: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
last-name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
user-key: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

nevisAdmin4.saml.certificate64

Base64 saml.crt.

Type: string

Default: not set

nevisAdmin4.saml.enabled

Enable SAML login

Type: bool

Default: false

nevisAdmin4.saml.idp.metadataUri

Type: string

Default: nil

nevisAdmin4.saml.keySecret

Secret containing the sam key and certificate to avoid using local files. Must be prepared advance. Must have saml.key and saml.crt key.

Type: string

Default: not set

nevisAdmin4.saml.privateKey64

Base64 saml.key.

Type: string

Default: not set

nevisAdmin4.springProfiles

Comma separated list of spring profiles to use, overrides all defaults

Type: string

Default: not set

nevisAdmin4.storageClass

Specify the storage class for the nevisAdmin4 persistent volume

Type: string

Default: not set

nevisAdmin4.tls.enabled

Enable https for nevisadmin4, it will only affect the traffic between nginc and nevisadmin4

Type: bool

Default: false

nevisAdmin4.tls.keyAlias

The key alias

Type: string

Default: "nevisadmin"

nevisAdmin4.tls.keystore

Keystore file to use, will be used instead of the prepared secret or base64 if the file is available in the chart folder.

Type: string

Default: "keystore.p12"

nevisAdmin4.tls.keystore64

Base64 keystore file.

Type: string

Default: not set

nevisAdmin4.tls.keystoreSecret

Secret containing the tls keystore, to avoid plain values and using a local files. Must be prepared in advance. Must have the "passphrase" and the value for tls.keystore as a secret key.

Type: string

Default: not set

nevisAdmin4.tls.keystoreType

Keystore type

Type: string

Default: "pkcs12"

nevisAdmin4.tls.passphrase

Keystore passphrase

Type: string

Default: not set

nevisAdmin4.tls.port

Port to use if https is enabled

Type: int

Default: 8443

nevisAdmin4.tolerations

Type: list

Default:

[]

nevisOperator.affinity

Type: object

Default:

{}

nevisOperator.annotations

Annotations to put onto the Deployment.

Type: object

Default:

{}

nevisOperator.certificateDuration

Certificate duration of the internal certificates created with cert-manager

Type: string

Default: "8760h"

nevisOperator.containerSecurityContext

Security context for the nevisOperator pod containers.

Type: object

Default:

allowPrivilegeEscalation: false
capabilities:
    drop:
        - ALL

nevisOperator.csr

These values will be used for creating the internal certicates with cert-manager

Type: object

Default:

country: CH
email-address: [email protected]
locality: K8S
organization: K8S
organizational-unit: K8S
province: K8S

nevisOperator.defaultImagePullPolicy

Sets the default imagePullPolicy for the deployed components by nevisAdmin 4

Type: string

Default: not set

nevisOperator.enableLeaderElection

Enable leader election for nevisOperator, this make it possible to run with multiple replicas

Type: bool

Default: true

nevisOperator.image.tag

Overrides the image tag whose default is the chart appVersion.

Type: string

Default: not set

nevisOperator.ingressIssuer

Name of the issuer that will be used for the generated ingresses

Type: string

Default: "letsencrypt-prod"

nevisOperator.ingressIssuerAnnotation

cert-manager annotation to put on the ingress

Type: string

Default: "cert-manager.io/issuer"

nevisOperator.internalIssuer

Name of the internal issuer used to create the certificate for internal communication between the components

Type: string

Default: "ca-issuer"

nevisOperator.internalIssuerCASecret

Name of the CA secret of the internal issuer

Type: string

Default: "ca-root-secret"

nevisOperator.internalIssuerCASecretNamespace

Namespace of the CA secret, defaults to the release namespace

Type: string

Default: not set

nevisOperator.internalIssuerNamespace

Namespace of the internal issuer used to create the certificate for internal communication between the components

Type: string

Default: not set

nevisOperator.labels

Labels to put onto the Deployment.

Type: object

Default:

{}

nevisOperator.nodeSelector

Type: object

Default:

{}

nevisOperator.podAnnotations

Annotations to put onto the pods.

Type: object

Default:

{}

nevisOperator.podLabels

Labels to put onto the pods.

Type: object

Default:

{}

nevisOperator.podSecurityContext

Security context for the nevisOperator pods.

Type: object

Default:

runAsNonRoot: true

nevisOperator.replicas

Type: int

Default: 1

nevisOperator.resources.limits.cpu

Type: string

Default: "200m"

nevisOperator.resources.limits.memory

Type: string

Default: "256Mi"

nevisOperator.resources.requests.cpu

Type: string

Default: "100m"

nevisOperator.resources.requests.memory

Type: string

Default: "96Mi"

nevisOperator.restrictNamespaces.additionalNamespaces

If the goal is to deploy to these namespace use the additionalComponentNamespaces value instead

Type: list

Default:

[]

nevisOperator.restrictNamespaces.enabled

By default, nevisOperator only has access to the namespace where it resides, and the namespaces from the additionalComponentNamespaces

Type: bool

Default: true

nevisOperator.tolerations

Type: list

Default:

[]

nginx.controller

Settings for the nginx ingress controller.

Type: object

Default:

admissionWebhooks:
    enabled: false
config:
    annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount
ingressClassResource:
    enabled: true
    name: nginx
service:
    externalTrafficPolicy: Local

nginx.enabled

Disable if nginx is already installed. See nginx.controller for configuration.

Type: bool

Default: true

podLabels

Labels that will put onto every pod created by the chart

Type: object

Default:

{}

serviceAccount.create

Enable service account creation, if disabled the default service account will be used

Type: bool

Default: true

serviceAccount.name

Override the name of the created service account for nevisadmin4

Type: string

Default: not set

serviceAccount.nevisOperatorName

Override the name of the created service account for nevisoperator

Type: string

Default: not set

Installation automation on Kubernetes

The installation process described in Installation automation on OpenShift is also available for Kubernetes: kubernetes-installer.sh